In March 2021, we investigated a backdoor with a singular modular structure and known as it BumbleBee because of a string embedded within the malware. Nonetheless, in our latest investigations, we now have found a controller utility that expands its capabilities.
Learn time: ( phrases)
Up to date on Sept. 6, 2022, at 11:55 p.m. ET to make clear the rationale behind the naming of this BumbleeBee malware.
Up to date on Sept. 2, 2022, at 9:55 p.m. ET to make clear the distinction between this BumbleBee malware and the Bumblebee ransomware loader.
In March 2021, we investigated a backdoor with a singular modular structure. Its kind of modular framework made our static evaluation tougher as a result of it required us to first rebuild its construction or use dynamic evaluation to grasp its performance and habits.
We known as it “BumbleBee” for the reason that developer of this software initially named it as such (“bumblebee” in Chinese language: 大黄蜂).
Our evaluation discovered that BumbleBee solely had little malicious code in its payload, and what it does on the floor is monitor keys and clipboard content material. Nonetheless, additional investigation revealed a controller utility that expands the malware’s capabilities.
Any such backdoor is just like one other of its sort known as BookWorm, by which it may be inferred that BumbleBee is a refactored model of BookWorm. On the time of writing, BumbleBee has solely been deployed in Taiwan; along with its use of Simplified Chinese language because the language for its consumer interface, this malware may be suspected to be deployed by malicious Chinese language actors. This weblog will sort out BumbleBee’s capabilities and our evaluation of this backdoor. It is essential to notice that this BumbleBee malware household is totally different from the Bumblebee loader, a loader malware that’s utilized by ransomware teams to drop backdoors to realize entry to company networks.
BumbleBee is a modular backdoor that includes two purposes, a server and a consumer utility (a grasp and slaver utility, respectively within the malware’s jargon). As soon as the consumer utility is deployed on the goal pc (these are generally native authorities units), menace actors can management the machine utilizing the server module. Allow us to take a deeper look into this backdoor.
Layered deployment – consumer utility
We’ve got encountered the consumer utility in a safety breach incident. Its distinctive “layer-in-layer” structure caught our consideration. The module has a self-extracted file that comprises three essential components: a professional executable (XcrSvr.exe), side-loaded DLL (XecureIO_v20.dll) and the shellcode binary file (ore) within the file system to execute the professional executable.
XCrSvr.exe is the executable within the XecureVistaCryptoSvr module developed by SoftForum. This file is exploited to launch the side-loaded DLL, XecureIO_v20.dll, which is able to work because the next-stage loader that executes the shellcode “ore,” which is the primary element on this backdoor. This shellcode comprises a number of modules of its personal (proven in Desk 1). Every module has corresponding 32-bit and 64-bit variations of binaries within the shellcode apart from launcher.dll.
|launcher.dll||The primary-stage launcher that hundreds all the following modules. It decrypts an inventory of modules in reminiscence and executes every so as.|
|kernel.dll||The utility element that controls all the opposite modules.|
|installer.dll||The module used to put in elements within the compromised machine.|
|keylog.dll||The keylog element displays the keystrokes and clipboard content material of the sufferer, and data actions from the sufferer resembling operating a course of, getting into a password, and getting the textual content of a window. The stolen knowledge will then be run by way of a XOR logic gate with a two-byte key 0xF29D and saved underneath %temppercentkb[UserName]. The timestamp shall be used because the file title.|
|loader.dll||The module that reads the shellcode.|
|slaver.dll||The primary module that interacts with the opposite strategies as soon as the backdoor is launched.|
Desk 1. BumbleBee’s modules
If a sufferer is compromised for the primary time, launcher.dll hundreds and launches all the opposite modules. The installer modules shall be chargeable for the set up and establishing persistence on the compromised machine by way of the next steps:
- Drop a replica of the XecureIO_v20.dll in %APPDATApercentLOCALTEMP folder.
- Encrypt unique shellcode file (to be a “bin” file) and path info (to be a “path” file) through the use of RC4 algorithm (secret’s the worth of “ProductID” from “HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerRegistration”)
- Drop bpu.dll (used to bypass UAC) and launched by rundll32.exe.
- Set up persistence on compromised machine.
- Delete the unique SFX file.
Notably, as XecureIO_v20.dll is loaded by XcrSvr.exe, it would verify if the mother or father course of is “XcrSvr.exe.” If that’s the case, it would patch the entry level of XcrSvr.exe with an extended bounce instruction to direct execution circulate to the malicious code.
Based mostly on our evaluation, we expect the reason being that the malicious code embedded in XecureIO_v20 won’t run if it adopted the conventional execution circulate of XCrSvr.exe. Therefore, as soon as XecureIO_v20.dll is loaded by XCrSvr.exe, it would patch the entry level of XCrSvr.exe and bounce to the deal with of the malicious code to verify the code may be executed correctly.
After the consumer is put in and the persistence is established, the loader, XecureIO_v20.dll, will retrieve the worth of “ProductID” from the registry key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerRegistration” and use it as the important thing to decrypt the encrypted payload (the file “bin”) dropped within the first set up. Utilizing the data on the compromised machine as a key to encrypt the payload makes it rather more troublesome for analysts to decrypt and debug the malware within the evaluation atmosphere.
|path||An RC4-encrypted path string used to seek out the situation of next-stage shellcode. It may very well be a file path or a registry path beginning with HKLM or HKCU.|
|bin||The subsequent-stage RC4-encrypted shellcode payload.|
Desk 2. Payload file names
Expanded management – server utility
Because of BumbleBee’s complicated consumer utility, it took a while for us to completely analyze its performance. Whereas doing so, we ran throughout the server utility of the malware that acts as a controller. This supplied us with additional understanding on how BumbleBee works.
Because the consumer utility is operating on the contaminated system, it would talk with the server utility and present the data of the machine it’s in. Particulars, resembling pc title, exterior IP deal with, geographic location, OS, CPU, and reminiscence, are collected by the consumer utility.
Based mostly on the choices within the server utility proven in Determine 7, we will decide that it helps the next capabilities for controlling the compromised machine:
|文件管理 (File administration)||Add/obtain/delete/checklist recordsdata from the sufferer’s atmosphere|
|屏幕控制 (Distant desktop management)||Management the sufferer’s desktop remotely|
|进程管理 (Course of administration)||Record and handle operating processes with the picture names, present folder, course of id and mother or father course of id|
|服务管理 (Service administration)||Record and handle present companies standing|
|注冊表编辑 (Registry editor)||Record and handle the sufferer’s registry key|
|控制台命令 (Command shell)||Execute the command shell|
|交互式控制台 (Interactive console)||Execute the command shell|
|反向代理 (Reverse proxy)||Reverse proxy to assist expose a neighborhood server behind a NAT or firewall to the web|
|键盘记录 (Keylogger)||Log keystrokes and clipboard contents|
Desk 3. Supported capabilities
BumbleBee’s modular framework allowed it to embed a small quantity of malicious code that includes stealing keystrokes and clipboard content material within the consumer’s shellcode. Nonetheless, it may broaden its capabilities by way of its server utility by loading extra modules. This design proves that BumbleBee is versatile, permitting its builders to concentrate on the event of extra modules as a substitute of getting to rebuild the malware itself. Its construction may additionally cut back the danger of exposing itself to analysts and their very own modules for comparability.
BumbleBee communicates over the HTTP protocol. It first creates an HTTP request that acts as a community beacon to inform the command and management (C&C) server. The POST request with the next URL, http://<C&C server>/replace/, is the preliminary community beacon. The consumer utility will ship info of the compromised machine, which is encrypted by RC4 (see Determine 8 and Determine 9) as soon as the primary connection is established efficiently. All different communication visitors, apart from the sufferer info, are encrypted between server and consumer purposes utilizing the RC4 and compressed by LZO (Lempel–Ziv–Oberhumer) algorithm.
To ensure the acquired payload is appropriate, BumbleBee adopts a CRC32 checksum with reversed-presentation mode to confirm the acquired knowledge. For the CRC32 calculation, a self-defined worth, ”20200105” is used because the preliminary worth (usually, the worth is 0xffffffff) for checksum calculation.
Through the investigation, we discovered that BumbleBee adopted a number of methods for persistence. It can use totally different methods relying on the configuration. Listed here are the methods adopted by the BumbleBee pattern we discovered:
- Abuse registry run key to repeatedly execute the malware as soon as system boot
- Create Home windows companies to repeatedly execute malicious payloads
- Use Home windows logon scripts robotically executed at logon initialization to ascertain persistence by way of including a Registry key HKEY_CURRENT_USEREnvironment “UserInitMprLogonScript“
Because of the distinctive modular construction and set up procedures, we began to work on a literature evaluation to make clear whether it is an unique software utilized by a sure menace actor. We discovered the same backdoor, “BookWorm,” revealed by Palo Alto in 2015. They share the next options:
- Each are self-extracted recordsdata and abuse professional executables to load self-made malware.
- Each use the identical registry worth as RC4 encryption key to encrypt their payload.
- Each use modular structure within the conception of the backdoor.
- Each appeared in Southeast Asia, concentrating on native government-related organizations (comparable victimology).
- Each use RC4 and LZO algorithms in C&C communications (comparable community protocol).
We predict BumbleBee is more likely to be the refactored BookWorm backdoor. They’ve comparable techniques, methods, and procedures (TTPs), distinctive encryption method, and comparable goal sectors. In keeping with the language (Simplified Chinese language) proven in server utility, we suspect that the origins and builders of BumbleBee could also be in China and of Chinese language descent.
Since BumbleBee and Bookworm share the identical options, BumbleBee is probably going a refactored type of the latter. Specializing in Asian native authorities targets, all indicators level to a suspect linked to a Chinese language hacker group.
BumbleBee, being a modular framework, isn’t solely versatile however refined as it would require analysts to analyze its construction and habits. One other side of getting a modular framework is that they’ll simply hold creating extra modules since it could simply be built-in with the present model of mentioned malware.
With its modular capabilities, the menace might deploy extra modules which will show harmful. Thus, a complicated layer of safety and fast detection is required to forestall the backdoor from taking root within the system. Pattern Micro Imaginative and prescient One™ provides each inside totally different entry factors of a backdoor.
|Protection Evasion||T1574.002 – Hijack Execution Move: DLL Facet-Loading|
|T1070.004 – Indicator Removing on Host: File Deletion|
|T1055 – Course of Injection|
|T1480.001 – Execution Guardrails: Environmental Keying|
|Persistence||T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|T1037.001 – Boot or Logon Initialization Scripts: Logon Script (Home windows)|
|T1548.003 – Create or Modify System Course of: Home windows Service|
|Privilege Escalation||T1548.002 – Abuse Elevation Management Mechanism: Bypass Person Account Management|
|Assortment||T1056.001 – Enter Seize: Keylogging|
|Reconnaissance||T1592 – Collect Sufferer Host Data|
|Command and Management||T1071.001 – Software Layer Protocol: Net Protocols|
|T1090 – Proxy|
|T1573.001 – Encrypted Channel: Symmetric Cryptography|
|T1132.001 – Knowledge Encoding: Normal Encoding|
|Useful resource Growth||T1587.001 – Develop Capabilities: Malware|